Almost a quarter of reported vulnerabilities have no known solution
The number of reported vulnerabilities in 2018 is seven percent down on the same period last year, according to a new report from Risk Based Security.
It's not all good news though, as 24.9 percent of 2018's reported vulnerabilities currently have no known solution which is a reminder that, while patching is very important, it can't be relied on exclusively as a remedy.
Vulnerabilities with a CVSSv2 score of 9.0+, often referred to as 'critical', accounted for 15.4 percent of all published vulnerabilities through the third quarter. Also, Risk Based Security's own VulnDB published 4,823 more vulnerabilities than CVE/NVD through the end of Q3 2018.
"It's important to understand the limitations of CVE/NVD-based solutions, and the risk that organizations face by not incorporating the most comprehensive vulnerability intelligence available in their risk management solutions," says Carsten Eiram, chief research officer for Risk Based Security. "Not only do they cover a subset of reported vulnerabilities, but analysis shows that CVE/NVD-based solutions are about 7-12 weeks behind. The serious risk faced by an organization not warned about a new vulnerability in a timely manner -- if at all -- is obvious."
Of all the vulnerabilities disclosed through Q3 2018, 67.3 percent are due to insufficient or improper input validation. Though many vulnerabilities fall under this umbrella, it's clear that vendors are still struggling to carefully validate input from users. Having a mature software development lifecycle and some form of auditing can help iron out many of these issues and significantly reduce the threat from attackers.
"The importance of comprehensive vulnerability coverage is clear, but even more critical is having timely intelligence which cannot be understated. We continue to see vulnerabilities that are being actively exploited in the wild well before most organizations are aware of the issues. It is an unfortunate situation to find yourself in a position to learn about a vulnerability after the damage is done," adds Brian Martin, VP of vulnerability intelligence at Risk Based Security.
You can read more in the full report available from the Risk Based Security site.